All Flashcards
(269 cards)
1
Q
IAM Best Practices
A
MFA
Strong Password policy
Create individual Users instead of using root
Use roles for EC2 instances
2
Q
Web Application Firewall (WAF)
A
Protects against common attack patterns
SQLi
XSS
3
Q
Shield
A
DDOS protection service
4
Q
Shield Standard
A
Always on
Free
5
Q
Shield Advance
A
Provides enhanced protections and 24/7 access to AWS experts for a fee
Protects
CloudFront
Route53
Elastic Load Balancing
AWS Global Accelerator
6
Q
Macie
A
helps you discover and protect sensitive data
Uses Machine Learning
Evaluates S3
uncovers PII - Personally Identifiable Information
7
Q
Config
A
Track configuration over time
Delivers configuration history to S3
Notifications via Simple Notification Services (SNS) of every configuration change
8
Q
Guard Duty
A
intelligent threat detection system that uncovers unauthorized behavior
uses machine learning
Built in for EC2, S3 & IAM
Reviews CloudTrail, VPC Flow Logs, and DNS logs
9
Q
Inspector
A
works with EC2 instances to uncover and report vulnerabilities.
Agent installed on EC2
Report vulnerabilities found
Checks access from the internet, remote root login, vulnerable software versions, etc
10
Q
AWS Management Console
A
You’re able to configure and manage your instances via a web browser.
11
Q
Secure Shell (SSH)
A
SSH allows you to establish a secure connection to your instance from your local laptop.
12
Q
EC2 Instance Connect (EIC)
A
EIC allows you to use IAM policies to control SSH access to your instances, removing the need to manage SSH keys.
13
Q
AWS Systems Manager
A
Systems Manager allows you to manage your EC2 instances via a web browser or the AWS CLI.
14
Q
EC2 Pricing - On Demand
A
Fixed price - billed down to the second.
No contract, pay for only what you used
low cost without any upfront payment or long term commitment
Application Unpredictable workload that can’t be interrupted
Application under development
Workload will NOT run longer than a year
15
Q
EC2 Pricing - Reserved Instances
A
Application steady state usage -
Can commit to 1 to 3 years
Pay upfront for discount on On-Demand prices
application requires capacity reservations
16
Q
EC2 Pricing - Dedicated Hosts
A
Paying for physical server
Bring your own server bound license like Microsoft or Oracle
have regulatory or corporate compliance around tenancy models
17
Q
EC2 Pricing - Savings Plans
A
commit to COMPUTE usage (measured per HOUR) for 1 or 3 years
Lower bill across multiple computing services
Flexibility to change computer services, instance types, operating systems, or regions
18
Q
Horizontal Scaling
A
Horizontal scaling (or scaling out) adds or replaces instances
19
Q
Vertical Scaling
A
Vertical scaling (or scaling up) upgrades an existing instance.
20
Q
Amazon Machine Images (AMI)
A
You can use a preconfigured template called an Amazon Machine Image (AMI) to launch your instance.
21
Q
Free Tier
A
750 computer hours per month
22
Q
Auto Scaling
A
Auto Scaling improves the availability of your applications, and don’t confuse it with load balancing.
23
Q
Auto Scaling
A
Auto Scaling improves the availability of your applications, and don’t confuse it with load balancing.
24
Q
Lamda Features
A
- Supports popular programming languages like Java, Go, PowerShell, Node.js, C#, Python, and Ruby.
- You author code using your favorite development environment or via the console.
- Lambda can execute your code in response to events.
- Lambda functions have a 15-minute timeout.
25
Lamda Features
1. Supports popular programming languages like Java, Go, PowerShell, Node.js, C#, Python, and Ruby.
2. You author code using your favorite development environment or via the console.
3. Lambda can execute your code in response to events.
4. Lambda functions have a 15-minute timeout.
26
Lamda Pricing
Compute time - only pay for compute time used
Request count - a request is counted each time it starts execution (test invoked in console counts as well)
Free tier - 1 mm request each month
27
Lamda Pricing
Compute time - only pay for compute time used
Request count - a request is counted each time it starts execution (test invoked in console counts as well)
Free tier - 1 mm request each month (always free even after free usage tier expires)
28
AWS Fargate
Manage containers like dockers
Scales automatically
Serverless
29
Amazon Lightsail
Deploy preconfigured applications, like WordPress websites
Includes a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP
Simple screens for people with no cloud experience
Provides a low, predictable monthly fee, as low as $3.50
30
AWS Outpost
you to run cloud services in your internal data center.
Hybrid experience
AWS delivers and installs cloud in on prem data center
Access to cloud service and API to develop app on premise
Support workload that needs to remain on premise due to latency or sovereignty needs
31
AWS Batch
process large workloads in smaller chunks (or batches).
Dynamically provisions instances based on volume
Runs hundreds and thousands of smaller batch processing jobs
32
Amazon S3 (Simple Storage Service)
*****S3 is a regional service, but bucket names must be globally unique.
Objects (or files) are stored in buckets (or directories).
Essentially unlimited storage that can hold millions of objects per bucket
You can upload objects via the console, the CLI, or programmatically from within code using SDKs.
Objects can be public or private.
You can enable versioning to create multiple versions of your file in order to protect against accidental deletion and to use a previous version
33
S3 Security
You can set security at the bucket level or individual object level using access control lists (ACLs), bucket policies, or access point policies.
34
S3 Access Logs
You can use S3 access logs to track the access to your buckets and objects.
35
S3 Durability and Availability
Durability - 11 9's
Availability 5 9's
36
Storage - S3 Standard
Data Stored across multiple Availability Zone
Recommended for frequently accessed data
37
Storage - S3 Intelligent Tiering
Automatically moves data to most cost effective storage
Data Stored across multiple Availability Zone
Recommended: data with unknown or changing access pattern
38
Storage - S3 Standard Infrequent Access (IA)
Data access less frequently but requires RAPID ACCESS
Data Stored across multiple Availability Zone
Recommended for:
Long live data
Infrequent access
Milliseconds access when needed
39
Storage - S3 One Zone - Infrequent Access (IA)
Less frequently access but require rapid access
Stored across multiple AZ
Cheaper than S3 Standard
Recommended for:
Long-live data
Infrequent access
Millisecond access when needed
40
Storage - S3 Glacier
Long-term data/archival
Data retrieval takes longer
3 retrieval options:
1-5 minutes
3-5 hours
5-12 hours
Stored across multiple AZ
*Cheap storage option/long term backup
41
Storage - S3 Glacier Deep Archive
Like S3 Glacier but longer to access
12 hours or 48 hours
Cheapest of all S3 options
Data stored across multiple AZ
Long term data archival - access once or twice a year
retaining data for regulatory compliance
42
Storage - S3 Outpost
Provides object storage on premise
single storage class
data stored across multiple devices and servers
Data that needs to be kept locally/demanding applications performance needs.
43
EBS (Elastic Block Storage)
Data persist when instance not running
tied on one AZ
can ONLY be attached to ONE instance in the same AZ
Recommended for:
quick access
Running db on an instance
long term data storage
44
EC2 Instance Store
storage on disk PHYSICALLY attached to an instance
faster I/O speed
storage is TEMPORARY, when instance stopped, data is loss
Recommended:
Temp storage needs
Data replicated across multiple instances
45
EFS (Elastic File System)
ONLY supports Linux
More expensive than EBS
Accessible across different AZ zone in the same Region
Recommended:
Main directories for business critical apps
Lift/shift existing enterprise apps
46
Storage Gateway
Connect on premise/cloud
Supports Hybrid model
Recommended:
Moving backup to clouds
reduce cost for hybrid cloud storage
Low latency access to data
47
AWS Backup
Integrates with EC2, EBS, EFS
Create backup plan - frequency/retention
48
CloudFront
**Global distribution of content
****Makes content global or restrict it based on location
Content Delivery Network that delivers data and application globally with low latency
Can stop DDOS attack
*Speeds up delivery of static and dynamic web content
*Use edge location to cache content
49
Amazon Global Accelerator
***Sends traffic through AWS global network infrastructure
Improve latency/avail on single-region applications
60% performance boost
Automatically re-routes traffic to health regional endpoints.
50
AWS S3 Transfer Acceleration
***Fast transfer of file over long distance
Use CloudFront globally distributed edge location
Customers around the world can upload to a central bucket
51
Amazon Virtual Private Cloud (VPC)
A VPC spans Availability Zones in a Region
foundational service that allows you to create a secure private network in the AWS cloud where you launch your resources.
Launch resources like EC2 instances inside the VPC
Isolate and protect resources
52
Internet Gateway
Don't forget an internet gateway allows traffic to the public internet and peering connects 2 VPCs together.
53
Amazon Route 53
DNS service that routes users to applications.
***Performs health checks on AWS resources
Domain name registration
Supports hybrid cloud architectures
54
AWS Direct Connect
Direct Connect is a dedicated physical network connection from your on-premises data center to AWS.
***Supports a hybrid environment
Data travels over a private network
Dedicated physical network connection
55
AWS VPN
Site-to-Site VPN creates a secure connection between your internal networks and your AWS VPCs.
***Supports a hybrid environment
Similar to Direct Connect, but data travels over the public internet
Data is automatically encrypted
Connects your on-premises data center to AWS
56
API Gateway
API Gateway allows you to build and manage APIs.
Share data between systems
Integrate with services like Lambda
57
Amazon Relation Database Service (RDS)
service that makes it easy to launch and manage relational databases.
Supports popular database engines
Offers high availability and fault tolerance using Multi-AZ deployment option
AWS manages the database with automatic software patching, automated backups, operating system maintenance, and more.
Launch read replicas across regions in order to provide enhanced performance and durability
58
Amazon Aurora
Aurora is a relational database compatible with MySQL and PostgreSQL that was created by AWS
5x faster than normal MySQL and 3x faster than normal PostgreSQL
Scales automatically while providing durability and high availability
Managed by RDS
59
Amazon DynamoDB
DynamoDB is a fully managed NoSQL key-value and document database.
***NoSQL key-value database
Fully managed and serverless
Non-relational
Scales automatically to massive workloads with fast performance
60
Amazon DocumentDB
DocumentDB is a fully managed document database that ****supports MongoDB.
Fully managed and serverless
Non-relational
61
Amazon ElastiCache
ElastiCache is a fully managed in-memory datastore compatible with Redis or Memcached.
****In-memory datastore
Data can be lost
Offers high performance and low latency
62
Amazon Neptune
Neptune is a fully managed graph database that supports highly connected datasets.
***create social media graph
Graph database service
Supports highly connected datasets like social media networks
Fully managed and serverless
Fast and reliable
63
Database Migration Service (DMS)
DMS helps you migrate databases to or within AWS.
Migrate on-premises databases to AWS
Continuous data replication
Supports homogeneous and heterogeneous migrations
Virtually no downtime
64
Server Migration Service (SMS)
SMS allows you to migrate on-premises servers to AWS.
Migrates on-premises servers to AWS
Server saved as a new Amazon Machine Image (AMI)
Use AMI to launch servers as EC2 instances
65
Snowcone
8 terabytes of usable storage
Offline shipping
Online with DataSync
66
Snowball and Snowball Edge
Petabyte-scale data transport solution
Transfer data in and out
***Cheaper than internet transfer
***Snowball Edge supports EC2 and Lambda
67
Snowmobile
Multi-petabyte or exabyte scale
Data loaded to S3
Securely transported
68
DataSync
DataSync allows for online data transfer from on-premises to AWS storage services like S3 or EFS.
Migrates data from on-premises to AWS
Copy data over Direct Connect or the internet
Copy data between AWS storage services
***Replicate data cross-Region or cross-account
69
Redshift
Redshift is a scalable data warehouse solution.
Handles exabyte-scale data
70
Amazon Workspace
Amazon WorkSpaces provides a Desktop as a Service (DaaS) solution. https://aws.amazon.com/workspaces/?workspaces-blogs.sort-by=item.additionalFields.createdDate&workspaces-blogs.sort-order=desc
71
DDOS
Web Application Firewall (WAF)
AWS Shield
Route 53
CloudFront
72
Shared responsibly model
Under the Shared Responsibility Model, AWS takes responsibility for managing all the hardware (including access, patching, and other maintenance) and software required to deliver the service — which in this case is the EC2 instance. Anything to do with the instance itself is the responsibility of the customer
73
Platform-as-a-service solution
The platform-as-a-service model removes the need for organizations to manage the underlying infrastructure (usually hardware and operating systems) and allows you to focus on the deployment and management of your applications.
74
EC2 - Block network access
Security group - The security group acts as a virtual firewall to protect the EC2 instance.
75
Cannot perform any Amazon RDS actions on the Clients table.
Create an identity-based policy. & Add the user to the group that has the necessary permission policy.
By default, an IAM user can’t access anything in the AWS account. So, the inability to perform the RDS actions on the Clients table is not a technical or password issue. To grant access, you would need to create an identity-based policy.
76
What real-time guidance does Trusted Advisor provide?
Low utilization on EC2 instances
S3 bucket permissions for public access
Exposed access keys
77
Which content fields does CloudTrail track when a user accesses the AWS Management Console
Region
Username
78
What allows you to restrict access to an entire S3 bucket
Bucket policies - Bucket policies allow you to control access to entire buckets.
79
Which of the following can be specified as an origin when creating a CloudFront distribution
S3 Bucket
Elastic Load Balancer
Domain Name
80
What benefits can CloudFront bring to your e-commerce website
Increased application availability
Protection against network and application layer attacks via WAF
Lower latency for customers of your e-commerce website
81
You are trying out AWS on a trial basis and need to deploy an application without having to configure servers. Which AWS service can you use?
Elastic Beanstalk
Elastic Beanstalk allows you to deploy your web applications and web services to AWS. https://aws.amazon.com/elasticbeanstalk/
82
Which of the following engines are classified as relational databases on AWS
Aurora
MariaDB
83
After experiencing unusual behavior in your AWS account, you need to determine if there are any issues with AWS that may be affecting your account. What section of the AWS Management Console helps you inspect account alerts and find remediation guidance for your account?
AWS Personal Health Dashboard
AWS Personal Health Dashboard gives you a personalized view of the status of services and resources used by your applications.
84
Which of the following database migrations are classified as heterogeneous
Oracle to Amazon Aurora PostgreSQL
Microsoft SQL Server to Amazon Aurora PostgreSQL
85
Which AWS service would enable you to view the spending distribution in 1 of your AWS accounts?
AWS Cost Explorer
Cost Explorer allows you to visualize and forecast your costs and usage over time.
86
An independent developer needs help with monitoring service limits to ensure they don't exceed free-tier usage on their account. Which services will help them monitor service limits?
Trusted Advisor - Trusted Advisor has a service limit dashboard that helps you monitor service limits.
CloudWatch - CloudWatch Alarms can be used to determine the percentage of utilization versus the limit.
87
Inspector
Inspector works with EC2 instances to uncover and report vulnerabilities.
88
Your company is considering migrating its data center to the cloud. Which of the following is an advantage of the AWS Cloud over an on-premises data center?
Replace upfront capital expenses with low variable costs.
All the hardware purchased upfront for a data center will be replaced by resources that are variable in nature with low upfront costs. https://d1.awsstatic.com/whitepapers/introduction-to-aws-cloud-economics-final.pdf
89
A company would like to reduce operational overhead when operating AWS infrastructure. Which service can help them do this?
Managed Services
Managed Services helps you efficiently operate your AWS infrastructure and reduces operational risks and overhead.
90
A small software company is starting to work with the AWS Cloud. Which service will allow them to find, test, buy, and deploy software that runs on AWS?
AWS Marketplace
Marketplace is a digital catalog of prebuilt solutions you can purchase or license. You may also use it to sell solutions to others. https://aws.amazon.com/marketplace?aws=hp
91
You are managing the company's AWS account. The current support plan is Basic, but you would like to begin using Infrastructure Event Management. What support plan (that already includes Infrastructure Event Management without an additional fee) should you upgrade to?
Upgrade to Enterprise plan.
AWS Infrastructure Event Management is a structured program available to Enterprise Support customers (and Business Support customers for an additional fee) that helps you plan for large-scale events, such as product or application launches, infrastructure migrations, and marketing events. https://aws.amazon.com/premiumsupport/programs/iem/#:~:text=AWS%20Infrastructure%20Event%20Management%20is,infrastructure%20migrations%2C%20and%20marketing%20events.
92
A company is considering a serverless architecture and wants to build and run applications without having to manage infrastructure. Which AWS services should the company consider using when building applications?
Fargate
Lamba
S3
DynamoDB
EC2 is not serverless
93
What is a geographical area of the world that is a collection of logically grouped data centers?
A Region is a geographical area of the world that is a collection of data centers logically grouped into Availability Zones.
Availability Zones (AZs) consist of 1 or more physically separated data centers.
94
A company is developing a new web application that has high availability requirements. How can the company increase availability when deploying the application?
Utilize a multi-Region deployment when deploying the application.
Deploy the application to span across multiple Availability Zones (AZs).
NOT - While CloudFront speeds up the global delivery of static content, it alone doesn't ensure high availability.
95
Auto Scaling
The Auto Scaling group can be used to scale out and scale in the instances as the demand dictates. This will save money and avoid having instances sitting idle for long periods of time. AWS Auto Scaling monitors your applications and automatically adjusts your capacity to maintain steady, predictable performance at the lowest possible cost. Using AWS Auto Scaling, it’s easy to set up application scaling for multiple resources across multiple services in minutes. https://aws.amazon.com/autoscaling/
96
CloudWatch Alarms
A CloudWatch alarm can be set up to monitor CPU utilization and trigger further action. Further action could be an Auto Scaling group adding another EC2 instance and/or using SNS to notify team members of the occurrence.
97
When configuring an Application Load Balancer (ALB), what step should you take to ensure a highly available architecture?
Configure the load balancer to serve traffic to multiple Availability Zones.
You would set up the load balancer to deliver traffic across multiple Availability Zones
98
A solutions architect is designing a new application for a customer. In designing the system, the architect recommends that content be cached to reduce latency to the end user. Which piece of the AWS global infrastructure allows for content to be cached and served from the nearest point to the user?
Edge location
An edge location uses cached copies of your content for fast delivery to users. Don't forget CloudFront speeds up delivery using edge locations.
99
Which AWS service can help you optimize your AWS environment by giving recommendations to reduce cost, increase performance, and improve security?
AWS Trusted Advisor
Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices. https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
100
A customer set up an Amazon S3 bucket to accept downloads from their mobile application users. Due to data privacy requirements, the customer needs to automatically and continually scan S3 for the users' addresses. Which service can do this?
Macie uses machine learning to discover sensitive data stored on Amazon S3. Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers.
101
Athena
While Athena is a query service for S3 that allows the use of standard SQL, Athena does not automatically and continually query S3 for sensitive data.
102
A customer has created an Administrators group in IAM containing 5 users. What does the customer attach to the group to ensure all the users have the needed administrative access?
IAM policy
Policies can be attached to a group to ensure all users in the group have the same access. AWS even has a managed policy, Administrator Access, you can use.
103
IAM role
IAM roles are not associated with a specific user or group. Roles are meant to be assumed by anyone who needs it for a temporary period of time.
104
How would you create and manage access keys for users that need to access AWS services from the AWS Command Line Interface (CLI)?
Identity and Access Management (IAM) - IAM allows you to create and manage access keys for an IAM user.
NOT - Systems Manager - Systems Manager gives you visibility into and control over your AWS resources.
105
A company wants to provide access to an Amazon S3 bucket to all applications running on a Reserved Instance (RI) that's been assigned to a specific Availability Zone. What's the best way to give S3 access to all applications running on the EC2 instance?
Use an instance profile to pass an IAM role with Amazon S3 permissions to the EC2 instance
The company will need to create a role that grants access to S3 and associate it with the instance.
106
IAM credential report
The IAM credential report lists all the users and the status of their various credentials, including passwords, access keys, server certificates, and MFA devices.
107
Which of the following is an AWS Well-Architected Framework design principle related to operational excellence?
Deploy smaller, reversible changes.
This is a design principle related to operational excellence. Smaller changes can easily be reverted, if necessary.
108
Which is the most efficient AWS feature that allows a company to restrict IAM users from making changes to a common administrator IAM role created in all accounts in their organization?
Service control policies (SCPs)
AWS Organizations provides central governance and management for multiple accounts. Organization SCPs allow you to create permissions guardrails that apply to all accounts within a given organization. Service control policies (SCPs)
109
A developer doesn't want to hardcode the database password in their application code when developing a new application. Which service will help with accessing the password without having to hardcode it?
Secrets Manager
Secrets Manager allows you to manage and retrieve secrets (passwords or keys).
110
You need to stream data in real time for a dashboard application. Which AWS service would you use?
AWS Kinesis
Kinesis allows you to analyze data and video streams in real time. https://aws.amazon.com/kinesis/
AWS CloudTrail
CloudTrail tracks user activity and API calls within your account. https://aws.amazon.com/cloudtrail/
111
When you upload an object to S3 storage, where will AWS keep it?
In multiple Availability Zones within the Region you select
Any object uploaded to S3 is automatically stored in multiple Availability Zones in the Region in which it was uploaded. This means that if any single AZ in a Region is experiencing issues, objects stored in S3 will still be available. Although objects in S3 can be made to be accessible globally, by default they are always stored in a redundant fashion in only the Region they were uploaded, ruling out the other answers. https://aws.amazon.com/s3/
112
AWS VPC is a component of which of the following overall service categories?
Networking and Content Delivery
Amazon Virtual Private Cloud (Amazon VPC) gives you full control over your virtual networking environment, including resource placement, connectivity, and security. VPC can be found under the Networking and Content Delivery category of services in the AWS Management Console.
AWS Networking and Content Delivery Services.
113
Which of the following is TRUE when considering subnets in a VPC?
By default, all subnets within a VPC can communicate with each other.
By default, all subnets within a VPC can communicate with each other, without needing any other resources or configuration. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
114
How can Auto Scaling help your resources handle changes on demand?
By adding or removing EC2 instances from your EC2 fleet based on conditions you specify
Auto Scaling allows you to automatically add or remove EC2 instances based on conditions you specify - these can include such things as at a specific time, or depending on how busy your application is. Auto Scaling cannot change the size of existing instances, nor can it add or change storage on an instance. https://aws.amazon.com/autoscaling/
115
A customer is migrating their on-premises data center to AWS and has bandwidth constraints. Which service allows them to transport exabyte-scale datasets into AWS in a cost-effective and secure manner?
Snowmobile
The Snow Family allows you to transfer large amounts of on-premises data to AWS using a physical device. Snowmobile transports multi-petabyte or exabyte-scale data.
116
By default, what can a private subnet communicate with?
Other private subnets in the same VPC
By default, a private subnet can only communicate with other subnets in the same VPC, be they private or public. In order to communicate to the internet, a NAT gateway and internet gateway are required, and to enable communication between subnets in different VPCs, the VPCs must first be peered. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#vpc-subnet-basics
Public subnets in the same VPC
By default, a private subnet can only communicate with other subnets in the same VPC, be they private or public. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#vpc-subnet-basics
117
A customer has an on-premises 5-gigabyte Oracle database that needs to be migrated to AWS and converted to Aurora. The customer requires minimal downtime to the database. Which service is the best option for migration and conversion?
Database Migration Service
DMS supports homogeneous migrations like Oracle to Oracle and heterogeneous migrations like Oracle to Aurora, with minimal downtime.
NOT - DataSync
While DataSync provides online data transfer from on-premises to services like S3 or EFS, DataSync doesn't convert from one database engine to another.
118
Your sales operations group would like to perform monthly analyses on large amounts of sales activity. They want to be able to rank the performance of different territories, product categories, and sales channels. They will use visualization tools to generate graphical representations of the data. Which AWS service will provide the best solution for storing the sales data?
Amazon Redshift
Amazon Redshift provides the best solution for performing queries based on a predefined set of dimensions. Redshift organizes data for high performance based on user-specified distribution schemes. Amazon ElastiCache provides in-memory performance, but no data organization assistance. Amazon Aurora and Amazon DynamoDB are good solutions, but Redshift's columnar storage gives it the edge. Amazon Redshift
119
A customer would like to store secondary backup copies of on-premises data to the cloud. The customer is not concerned about an extra level of protection by geographic redundancy but requires rapid access to the data when it is needed. Which Amazon S3 storage class should be used as the lowest cost option with rapid access?
S3 One Zone-Infrequent Access
S3 One Zone-Infrequent Access is designed for customers who want a lower cost option for infrequently accessed data but do not require the multiple Availability Zone data resilience model of the S3 Standard or S3 Standard-Infrequent Access storage classes. S3 One Zone-Infrequent Access provides millisecond access when the data is needed.
120
A large manufacturing company would like to provide real-time feedback to machine operators regarding optimum machine speeds enabling less experienced operators to detect breaks earlier and maintain quality. Which service will allow the company to train and deploy a machine learning model that can detect machine issues early?
SageMaker
SageMaker helps you build, train, and deploy machine learning models quickly.
121
Which of the following are classified as migration services?
AWS Application Discovery Service
AWS Application Discovery Service helps you gather information about your on-premises environment and is considered a migration tool. https://aws.amazon.com/cloud-migration/
AWS Snowball
Snowball helps you migrate massive amounts of data into cloud, so it is considered a migration tool. https://aws.amazon.com/cloud-migration/
122
You have just created a new bucket and uploaded a file into it. Will this be automatically viewable by anyone on the internet?
No - by default, buckets and their contents are private
By default, all data stored in S3 is not viewable by the public. If you want a bucket or object to be accessible by the public, you must explicitly make it so. NAT gateways and internet gateways are needed to allow communications between VPCs and the internet, but they are not required when it comes to S3. https://aws.amazon.com/s3/faqs/#security
123
A company that owns several warehouses (used to store and resell millions of like-new, open-box, and pre-owned items) would like to analyze images from their on-premises cameras to automatically detect if employees are wearing head covers (helmets) and other protective equipment. Which service can be used be used to perform the image analysis?
Rekognition
The company can use Rekognition to identify objects like protective equipment in their images and detect if employees are wearing the required protective equipment.
124
A customer wants access to the full set of Trusted Advisor checks. What's the minimum support plan they need to have access to?
Business Support
Business Support is the minimum plan that provides access to the full set of Trusted Advisor checks.
125
A company is considering migrating its applications to AWS. Which costs should the company consider when comparing its on-premises total cost of ownership (TCO) to the TCO when running on AWS?
Hardware and infrastructure - The company should consider the cost of the hardware, like physical servers.
Data center cooling, power, and space requirements - The company should consider how much it costs to power its data center.
Software license costs - The company should consider the number of licenses and the cost of the licenses.
126
How can a customer with the Enterprise Support plan get help with billing and account questions?
Contact the Support Concierge team. - The Concierge agent is the primary point of contact for billing or account inquiries.
Use the AWS Support API to programmatically open a case with AWS Support. - Customers on the Enterprise Support plan have access to the AWS Support API to create, manage, and close support cases.
127
A company is migrating its workloads to AWS. Which tool will help the company estimate their potential cloud bill and calculate their overall total cost of ownership (TCO) based on their current workloads?
The company can use the AWS Pricing Calculator.
The Pricing Calculator provides an estimate of AWS fees and charges. Since the company knows the workload details, the AWS Pricing Calculator can also help with calculating the total cost of ownership.
128
A company wants to ensure all AWS accounts in their environment conform to company-wide policies. Which services can help?
Control Tower - Control Tower helps you ensure your accounts conform to company-wide policies. Control Tower actually sits on top of Organizations.
Organizations - Organizations allows you to centrally manage multiple AWS accounts under 1 umbrella. You can allocate resources and apply policies across accounts.
129
A company would like someone to help them coordinate access to AWS subject matter experts when they need help. Which support plan do they need to have?
Enterprise Support provides access to a Technical Account Manager (TAM) who helps coordinate access to subject matter experts among other things.
130
You have upgraded your AWS Support plan to the Business Support level. What is true of the Business Support plan?
< 1 hour response time support when your production system goes down.
The Business level support plan provides 1 hour or less response time support for production-level failures. https://aws.amazon.com/premiumsupport/plans/
131
You would like to set up a loosely coupled architecture. Which service would allow you to send and receive messages and store them if they are not consumed immediately?
AWS SQS
SQS is a message queuing service that allows you to build loosely coupled systems. https://aws.amazon.com/sqs/
132
AWS SES
SES is an email service that allows you to send richly formatted HTML emails from your applications.
133
A company has an application with user bases in both Australia and Canada. The company has deployed their application to servers currently provisioned in the Canada (Central) Region. Unfortunately, Australian users are experiencing high latency and slow download times. How can the company reduce latency?
Provision resources to the Asia Pacific (Sydney) Region in Australia.
A multi-Region deployment solves the issue by deploying the application closest to the user base.
134
Which of the following are geographic areas that host 2 or more Availability Zones?
A Region is a geographic area that hosts 2 or more Availability Zones. https://aws.amazon.com/about-aws/global-infrastructure/
135
Which of the following is an AWS global service?
IAM
Identity and Access Management is a global service.
136
Your company has decided to migrate entirely to the AWS Cloud. Which answers are a part of the 6 advantages of cloud computing?
Go global in minutes
Stop spending money running and maintaining data centers.
137
Using Infrastructure as Code (IaC) is related to which cloud concept?
Automation
Infrastructure as Code is a key implementation of automation in cloud - using Infrastructure as Code allows you to quickly and easily deploy and manage your environment without reliance on humans to complete all the tasks.
138
Which of the following is an AWS global service?
CloudFront
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds, all within a developer-friendly environment. https://aws.amazon.com/cloudfront/
139
Which of the following is correct regarding the number of Regions, Availability Zones, edge locations, and data centers?
There are more Availability Zones than Regions.
Regions contain 2 or more Availability Zones, which are themselves made up of 1 or more data centers. This means there will always be more AZs than Regions. Edge locations are separate from AZs and Regions, and there are more Edge Locations than Regions and Availability Zones. https://aws.amazon.com/about-aws/global-infrastructure/regions_az/?p=ngi&loc=2
140
Which statement is true regarding the AWS Global Infrastructure?
Each AWS Region consists of multiple, isolated, and physically separate AZs within a geographic area.
AWS has the concept of a Region, which is a physical location around the world where we cluster data centers. We call each group of logical data centers an Availability Zone. Each AWS Region consists of multiple, isolated, and physically separate AZs within a geographic area. Unlike other cloud providers, that often define a region as a single data center, the multiple-AZ design of every AWS Region offers advantages for customers. Each AZ has independent power, cooling, and physical security and is connected via redundant, ultra-low-latency networks. AWS customers focused on high availability can design their applications to run in multiple AZs to achieve even greater fault tolerance. AWS infrastructure Regions meet the highest levels of security, compliance, and data protection.
141
You have an Application Load Balancer for routing traffic from developers to the EC2 instance that contains a web application being put into operation. To prepare for the application going live for public use, you add an Auto Scaling group and a second Application Load Balancer to route web traffic from customers to the EC2 instance. The addition is an example of which of the following?
Scalability
This is an example of scalability, which means systems are expected to grow over time with no drop in performance.
142
Which of the following statements about AWS Regions is true?
Regions are generally specific geographical areas.
Regions are made up of Availability Zones.
A Region is a geographical area divided into Availability Zones. Each Region contains at least 2 publicly accessible Availability Zones.
143
A company is considering the cloud deployment models when planning a new application. Which deployment model allows the company to fully stop spending money running and maintaining data centers?
Public cloud
With the public cloud, all resources run in the cloud. Don't forget: This is the AWS Cloud.
144
What are the ways a user can access resources in their AWS account?
AWS Command Line Interface (CLI)
AWS Management Console
Application code
145
Which policy will provide information on performing penetration testing on your EC2 instances?
Customer Service Policy for Penetration Testing
AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for Amazon EC2 instances, NAT gateways, elastic load balancers, and 7 other services. Reference: Penetration Testing.
146
Under the shared responsibility model, which of the following is the customer’s responsibility when using Amazon RDS?
Collecting monitoring data to debug failures
Using AWS encryption solutions to protect data
Taking database backups
Creating and managing database users
147
Where is the best place to store your root user access key so your application can use it to make requests to AWS?
Nowhere — you should not use the root user access keys for this.
It is not recommended to use the root user account or access keys for any reason, as these grant full unrestricted access to the entire account. Recommended practice is to follow the concept of "least privilege" and create am IAM user or role with just enough access to do what is needed and nothing more, and use those keys as required. https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
148
Which of the following AWS services can help you assess the fault tolerance of your AWS environment?
AWS Trusted Advisor
AWS Trusted Advisor can help you assess the fault tolerance of your AWS environment. AWS Inspector can help you assess your security. https://aws.amazon.com/premiumsupport/trustedadvisor/
149
When analyzing application performance, a developer realizes the queries to the database are taking a long time. What can the developer implement to store common queries and improve performance?
ElastiCache
ElastiCache helps you alleviate database load for data that is accessed often. ElastiCache is a great way to cache common queries.
150
A company is planning for a one-time sale of 75% off all products on its website. They expect to see a short-term spike on the sale day. Which EC2 instance type should the company use to meet its requirements and maximize flexibility?
On-Demand
On-Demand is good for applications that have unpredictable workloads that can't be interrupted.
NOT - EC2 Spot
Since the application running on an EC2 Spot Instance can be randomly interrupted, EC2 Spot is not the best choice.
151
Your team needs to begin monitoring the applications running in your AWS account by collecting metrics, logs, and events. Which AWS service can you use?
Amazon CloudWatch
CloudWatch is a collection of services that help you monitor and observe your cloud resources. https://aws.amazon.com/cloudwatch/
NOT Amazon CloudTrail
CloudTrail tracks user activity and API calls within your account. https://aws.amazon.com/cloudtrail/
152
You have 2 software systems that need to communicate, and you also need to ensure messages are not lost between them. Which AWS service can help meet these requirements?
SQS
Amazon SQS is a message queue service used by distributed applications to exchange messages through a polling model and can be used to decouple sending and receiving components. Amazon SQS also provides extremely high message durability, ensuring messages are not lost if your software systems fail.
153
SES
Amazon SES (Amazon Simple Email Service) is a flexible, affordable, and highly scalable email messaging platform for businesses and developers. Amazon SES is not a queuing system — it doesn't ensure messages are not lost if your software systems fail.
154
A company with a business-critical application needs to ensure business continuity and that they will not be impacted by capacity restraints in a given Region. How can the company ensure this?
Convertible Reserved Instance (RI) with a capacity reservation
A Reserved Instance is a reservation of resources and capacity for either 1 or 3 years. A capacity reservation offers assurance that the customer will be given preference if there is ever a capacity constraint in a Region.
On-demand capacity reservation
On-Demand Capacity Reservations enable you to reserve compute capacity for your Amazon EC2 instances for any duration.
155
A new application rolled out by the development team is going to require load balancing of HTTP and HTTPS traffic. Which load balancer is best suited for this type of traffic?
Application Load Balancer
An Application Load Balancer is best suited for load balancing of HTTP and HTTPS traffic and provides advanced request routing targeted at the delivery of modern application architectures, including microservices and containers. https://aws.amazon.com/elasticloadbalancing/
NOT - Network Load Balancer
A Network Load Balancer is best suited for load balancing of Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Transport Layer Security (TLS) traffic where extreme performance is required. https://aws.amazon.com/elasticloadbalancing/
156
Your company is migrating its services to the AWS Cloud. The DevOps team has heard about Infrastructure as Code and wants to investigate this concept. Which AWS service would they investigate?
AWS CloudFormation
AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so you can spend less time managing those resources and more time focusing on your applications that run in AWS. https://aws.amazon.com/cloudformation/
NOT - Elastic Beanstalk
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. This is not what you are investigating. https://aws.amazon.com/elasticbeanstalk/
157
A developer has noticed several SQL injection attacks against a web application running on an EC2 spot instance. What is the best way to prevent this type of attack?
Web Application Firewall (WAF)
WAF helps protect your web applications against common web attacks like SQL injection attacks and cross-site scripting.
NOT - Shield Advanced
Shield is a managed Distributed Denial of Service (DDoS) protection service.
158
Global Accelerator
Global Accelerator can improve the experience by routing player traffic along with the private AWS global network to the fastest instance of your application. Player traffic is not negatively impacted by internet congestion and local outages.
159
Internet gateway
An internet gateway enables resources inside your VPC to reach the internet, as long as route tables and IP addresses are correctly configured in your environment. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
160
Cloud9
Cloud9 allows application developers to write code within an integrated development environment (IDE) from within their web browser.
161
A company is launching a new product and needs help with assessing its operational readiness and identifying and mitigating risks. Which feature of the Enterprise Support plan provides this?
Infrastructure Event Management
Infrastructure Event Management provides support for planning and running business-critical events.
NOT - Professional Services
Professional Services helps enterprise customers move to a cloud-based operating model.
162
A company is trying to visualize and forecast its costs and usage over time. Which service can help them?
AWS Cost Explorer
Cost Explorer allows you to visualize and forecast your costs and usage over time.
NOT - Cost and Usage Report
The Cost and Usage Report contains the most comprehensive set of cost and usage data.
163
With AWS services, you can use as many resources as you need, as well as use them when you need them. Which of the following terms can be applied to this concept?
Disposable resources
Working in a traditional infrastructure environment means you have to deal with fixed resources, which is comparatively costly and labor-intensive. By contrast, AWS services are much more convenient; the services provide the ability to use as many resources as you need and dispose of them when you no longer need them. That’s why such resources are both temporary and disposable.
Temporary resources
Working in a traditional infrastructure environment means you have to deal with fixed resources, which is comparatively costly and labor-intensive. By contrast, AWS services are much more convenient; the services provide the ability to use as many resources as you need and dispose of them when you no longer need them. That’s why such resources are both temporary and disposable.
164
A person new to the cloud is learning about the services that offer compute power. Which AWS services offer computing resources in the cloud?
Amazon Elastic Compute Cloud (EC2) - EC2 allows you to rent and manage virtual servers in the cloud.
AWS Elastic Beanstalk - Elastic Beanstalk allows you to deploy your web applications and web services to AWS. Although we covered Elastic Beanstalk in the "Deployment and Infrastructure Management Services" lesson, it is a compute service.
AWS Lambda - Lambda is a serverless compute service that lets you run code without managing servers.
NOT - Amazon Cognito - Amazon Cognito is a security service that allows you to add user authorization and authentication to your applications. Though we didn't officially go over Cognito, you may see a few service names on the exam that we didn't truly cover. Please make sure you read the "Overview of Amazon Web Services" whitepaper whitepaper before the exam.
165
When you pay a subscription fee to a hosting company to serve your website on an instance you manage, which cloud computing model are you using?
Infrastructure as a Service (IaaS) - IaaS offers building blocks that can be rented. When you pay a web hosting fee, you're using IaaS.
NOT - Platform as a Service (PaaS) - PaaS is often used by developers to develop software using web-based tools.
166
A company is considering migrating to the cloud. How does moving to the cloud reduce upfront costs?
By replacing large capital expenditures with lower variable costs spread over time
167
When you access tools provided to build a storefront application that runs on another company’s server, which cloud computing model are you using?
Platform as a Service (PaaS) -PaaS is often used by developers to develop software using web-based tools.
NOT - Software as a Service (SaaS)
SaaS allows you to use a complete application on demand. When you access your personal email through a web browser, you're using SaaS.
168
Which of the following are design principles from the security pillar of the AWS Well-Architected Framework?
Apply security at all layers - Apply security at all layers is one of the security pillar design principles that can help you strengthen your workload's security in the cloud. AWS Documentation: AWS Well-Architected Framework > Security Foundations.
Enable traceability
Protect data in transit and at rest
169
For which services is DDoS protection via AWS Shield Advanced supported?
Route 53
Elastic Load Balancing
CloudFront
NOT GuardDuty - GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior.
170
What is the recommended way to give your applications running in EC2 permission to other AWS resources?
Create an IAM role with appropriate permissions and assign it to the instance.
You should use IAM roles wherever possible to enable applications running on EC2 instances to access other AWS resources. This is the most secure method to do so. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
NOT - Create an IAM group with appropriate permissions and assign it to the instance.
It is not possible to assign an IAM group or user to an instance.
171
An IAM user with administrative access is attempting to close the AWS account. After troubleshooting, the admin user uncovers they need to sign in with root user credentials in order to perform this task. What other tasks require root user credentials?
Modifying the support plan
Configuring an Amazon S3 bucket to enable MFA (multi-factor authentication) delete
Activate IAM access to the Billing and Cost Management console
Changing the email address associated with the account
172
Which of the following are programmatic access types enabling users to interact with AWS services?
API calls
AWS CLI
AWS SDKs
173
Which of the following are focuses of the cost optimization pillar of the Well-Architected Framework?
Implement cloud financial management.
Utilize consumption-based pricing
Measure overall efficiency
174
Developers in your company need to interact with AWS from the Command Line Interface. Which security item will you need to provide to the developers?
Access key
When working with AWS from the CLI, you need to provide an access key and secret access key.
175
You are currently running an application in a production environment, but you want to ensure that it is free of vulnerabilities. Which of the following AWS services would you need to use?
Amazon Inspector
You will need to turn to Amazon Inspector for security assessment. Not only does it identify vulnerabilities in your application, it will also spot deviations from security best practices. AWS Shield and WAF protect the application from attacks that exploit vulnerabilities, rather than identify them. Trusted Advisor only provides recommendations on how to improve security. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
176
How can a customer meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud?
CloudHSM
CloudHSM allows customers to meet compliance requirements for data security by using dedicated hardware.
177
A development team wants to gain full observability into the health of their applications and instances in order to provide the best service level to users of their applications. Which services can help them monitor the health of their applications and instances?
Elastic Beanstalk - Elastic Beanstalk monitors application health via a health dashboard.
Elastic Load Balancing - Load balancers monitor the health of EC2 instances and route the traffic to only instances that are in a healthy state.
Route 53 - Route 53 can be used to configure DNS health checks to route traffic to healthy endpoints or to monitor the health of your applications.
178
Which of the following is NOT a compute service?
Elastic Block Store
Elastic Block Store is a storage service - all others are compute services.
179
A company wants to build a customer identity graph to provide a single unified view of customers and prospects by linking identifiers like website browsing history, preferences, and more. Which database product allows the customer to store and navigate billions of interconnected relationships?
Neptune
Neptune is a fully managed graph database that supports highly connected datasets.
180
Which AWS service is specifically designed to assist you in processing large datasets?
EMR
EMR is a service that makes it easy to process large amounts of data efficiently. https://aws.amazon.com/emr/
181
Which AWS service allows the deployment of resources in code templates, otherwise known as Infrastructure as Code?
CloudFormation allows you to provision AWS resources using Infrastructure as Code (IaC). https://aws.amazon.com/cloudformation/
NOT - OpsWorks allows you to use Chef or Puppet to automate the configuration of your servers and deploy code. https://aws.amazon.com/opsworks/
182
A gaming company is using the AWS Developer Tools suite to develop, build, and deploy their applications. Which AWS service can be used to trace user requests from end to end through the application?
AWS X-Ray
AWS X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components. You can use X-Ray to analyze from simple three-tier applications to complex microservices applications consisting of thousands of services. https://aws.amazon.com/xray/
183
Scientists would like to analyze terabytes of scientific data from a rover that landed on Mars. Which service will help them find trends and understand the vast amount of data using Hadoop?
Elastic MapReduce (EMR)
EMR helps you process large amounts of data using big data frameworks like Hadoop.
NOT - Kinesis allows you to analyze data and video streams in real time.
184
Which of the following best describes EBS?
A virtual hard disk in the cloud
An EBS volume is best described as a virtual hard disk in the cloud - storage that, for all intents and purposes, appears to be directly attached to your instance. These are used by the virtual server instances in the cloud, which are known as EC2 instances. https://aws.amazon.com/ebs/
185
You have been tasked to create an S3 bucket for storing templates. A team member has forwarded you the templates, which are used for creating multiple different AWS resources such as S3 buckets, EC2 instances, and VPCs. Which service uses these templates to create AWS resources?
CloudFormation
CloudFormation allows you to provision AWS resources using Infrastructure as Code (IaC) and reusable templates. https://aws.amazon.com/cloudformation/resources/templates/
186
A software company is looking for a tool to automate their deployments from end to end. Which AWS service can provide this continuous delivery functionality?
CodePipeline
CodePipeline automates the software release process. https://aws.amazon.com/codepipeline/
187
Which of the following AWS services allows you to run complex analytic queries against petabytes of structured data, use sophisticated query optimization, has columnar storage on high-performance local disks, and has massively parallel query execution?
Redshift
Redshift allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance local disks, and massively parallel query execution. https://aws.amazon.com/redshift/
188
A development team has created a large amount of CloudFormation templates in the JSON format. Which AWS database would be best suited for storing these documents?
Amazon DocumentDB
Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads. As a document database, Amazon DocumentDB makes it easy to store, query, and index JSON data. Amazon DocumentDB (with MongoDB compatibility) FAQs.
189
You have a project that will require 90 hours of computing time. There is no deadline, and the work can be stopped and restarted without adverse effect. Which of the following computing options offers the most cost-effective solution?
Spot Instances
Spot Instances are usually the most cost-effective solution for workloads that can be interrupted. On-Demand and Reserved Instances are both more expensive in this use case, and Custom Instances do not exist. https://aws.amazon.com/ec2/spot/
190
Which of the following AWS services can assist you with cost optimization?
AWS Trusted Advisor
Trusted Advisor can assist you with the cost optimization of your AWS environment. [https://aws.amazon.com/premiumsupport/trustedadvisor/
191
You need a "virtual hard disk" for your EC2 instance. Which of the following should you choose?
EBS
EBS volumes are "virtual hard disks" for your EC2 instance.
https://aws.amazon.com/ebs/
192
What is the most cost-effective AWS Support Plan if you want the full set of Trusted Advisor checks?
Business
The Business plan is the cheapest plan that will still provide the full set of Trusted Advisor checks. https://aws.amazon.com/premiumsupport/plans/
193
You need to track your AWS costs on a detailed level. Which tool will allow you to do this?
Cost Allocation Tags
A tag is a label that you or AWS assign to an AWS resource. Each tag consists of a key and a value. Tagged resources can appear on the Cost Explorer or on a cost allocation report. https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html
194
Which of the following are support levels offered by AWS?
Basic
Developer
Business
Enterprise
195
A company would like to call AWS support to open cases when issues arise. What's the minimum support plan they need to subscribe to in order to have telephone access?
Business Support
Business Support is the minimum plan that provides access to support via telephone.
196
You are an AWS Enterprise customer with questions about billing and your overall AWS account. Which of the following AWS Support personnel should you contact?
AWS Concierge
For AWS Enterprise customers, the AWS Concierge is a resource dedicated to answering billing and account questions. https://www.amazonaws.cn/en/support/features/
197
You need to purchase Reserved Instances for a 3-year project. But a company initiative may change all the company compute operating systems from Windows to Linux midway through this project. What type of Reserved Instance should you purchase?
Convertible
These can be exchanged during the term for another Convertible Reserved Instance with new attributes, including instance family, instance type, platform, scope, or tenancy. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/reserved-instances-types.html
198
You have decided to use the AWS Cost and Usage Report to track your EC2 Reserved Instance costs. Which AWS service can be used to store AWS Cost and Usage report files?
An S3 bucket you own
You can use Cost and Usage Reports to publish your AWS billing reports to an S3 bucket you own. AWS updates the report in your bucket once a day in comma-separated value (CSV) format. You can view the reports using spreadsheet software or access them from an application using the Amazon S3 API. https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html
199
Which of the following AWS Support levels offers 24x7 support via phone or chat?
Business
The Business and Enterprise support plans, the two most expensive plans, offer 24 X 7 support via phone or chat. https://aws.amazon.com/premiumsupport/plans/
200
Which of the following AWS Support levels offers 24x7 support via phone or chat?
Business
The Business and Enterprise support plans, the two most expensive plans, offer 24 X 7 support via phone or chat. https://aws.amazon.com/premiumsupport/plans/
201
In the AWS Global Infrastructure, which components are physically separated and connected through low-latency links, enabling fault tolerance and high availability?
Availability Zones
Availability Zones (AZs) are connected among themselves in a single Region. They are physically separated, connected through low-latency links, fault tolerant, and allow high availability.
202
Which cloud computing model offers fundamental building blocks that can be rented?
Infrastructure as a Service (IaaS)
IaaS offers building blocks that can be rented. EC2 is an example of IaaS.
203
What are the 3 cloud computing models?
Platform as a Service (PaaS)
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
204
Which of the following best describes an AWS Region?
A distinct location within a geographic area designed to provide high availability to a specific geography
A Region is a distinct location within a geographic area designed to provide high availability to a specific geography. Regions are a key concept in AWS' Global Infrastructure — each is made up of 1 or more isolated (within that Region) Availability Zones. There are often multiple AWS Regions on each continent, such as North America. https://aws.amazon.com/about-aws/global-infrastructure/
205
Which security service provides enhanced protections and 24/7 access to AWS experts for a fee when issues arise?
AWS Shield Advanced
AWS Shield Advanced provides enhanced protections and 24/7 access to AWS experts for a fee.
206
Which of the following services will help you optimize your entire AWS environment in real-time following AWS best practices?
AWS Trusted Advisor
Trusted Advisor helps you optimize your entire AWS environment in real-time following AWS best practices. It helps you optimize cost, fault tolerance, and more. https://aws.amazon.com/premiumsupport/trustedadvisor/
NOT AWS Inspector
Inspector works with EC2 instances to uncover and report vulnerabilities.
207
After configuring your VPC and all of the resources within it, you want to add an extra layer of security at the subnet level. Which will you use to add this security?
Network ACL
A network access control list (NACL) is an optional layer of security for your VPC that ensures the proper traffic is allowed into the subnet. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
208
You want to streamline access management for your AWS administrators by assigning them a pre-defined set of permissions based on their job role. Which options below are the best way to approach this?
Use IAM policies
You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.
Use IAM groups
Using IAM groups lets you create a list of pre-defined permissions that any user made a part of that group will be granted. Roles are primarily used to grant AWS resources permissions to other AWS resources and generally are not for end-users. Reference: IAM User Groups
209
A new application needs temporary access to resources in AWS. How can this best be achieved?
Create an IAM role and have the application assume the role.
Roles define access permissions and are temporarily assumed by an IAM user or service. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
210
What type of long-term credentials for IAM users can be used to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)?
Access keys
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Managing access keys for IAM users.
NOT - Security token
Security tokens provide limited, short-term access for IAM users or federated (outside) users. https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
211
Which of the below are TRUE statements when it comes to network security for an EC2 instance in AWS?
AWS is responsible for ensuring malicious traffic does not impair the network hardware.
The customer is responsible for ensuring unwanted traffic does not reach the EC2 instance.
The customer is responsible for ensuring malicious traffic does not reach the EC2 instance.
Under the Shared Responsibility Model, AWS takes responsibility for managing all the hardware (including access, patching, and other maintenance) and software required to deliver the service. In this scenario, AWS is responsible for the underlying network hardware, not the customer. However, the customer is responsible for ensuring that only wanted, valid traffic reaches their EC2 instance through the use of security groups, access control lists, or software firewalls. https://aws.amazon.com/compliance/shared-responsibility-model/
212
You need to use an AWS service to assess software vulnerabilities and unintended network exposure of your Amazon EC2 instances. Which of the following services should you use?
Amazon Inspector
Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2) and container workloads for software vulnerabilities and unintended network exposure. Reference: Amazon Inspector FAQs
213
You are creating a few IAM policies. This is the first time you have worked with IAM policies. Which tool can you use to test IAM policies?
IAM policy simulator
The IAM policy simulator allows you to test and troubleshoot identity-based policies, IAM permissions boundaries, service control policies (SCPs), and resource-based policies. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
214
Which of the following statements are true about who can use IAM roles?
An IAM user in the same AWS account as the role.
A web service offered by AWS.
An IAM user in a different AWS account than the role.
215
A company would like to automate the configuration of its servers and deploy code to servers in the cloud and on-premises. Which service meets the requirement?
OpsWorks
OpsWorks allows you to use Chef or Puppet to automate the configuration of your servers and deploy code on-premises or the cloud.
216
Which of the following are common use cases for S3?
Static web hosting
Storing application assets
217
A developer is trying to programmatically retrieve information from an EC2 instance such as public keys, IP address, and instance ID. From where can this information be retrieved?
Instance metadata
This type of data is stored in instance metadata.
218
A company is running several Linux workloads in the cloud. They are considering storage options. Which storage option should the company NOT use due to the fact the data will be lost when the instance is stopped or terminated?
EC2 Instance Store
An instance store is a local storage that is physically attached to the host computer and cannot be removed. Storage is temporary since data loss occurs when the EC2 instance is stopped.
219
Which of the following AWS services is a fast, fully managed data warehouse that makes it simple and cost-effective to a
Redshift
Redshift is AWS' fully managed data warehouse solution.
https://aws.amazon.com/redshift/
220
A customer has a complex multi-resource application environment containing multiple EC2 instances, load balancers, S3 buckets, and more. They'd like to provision these resources in an automated and repeatable manner from environment to environment using Infrastructure as Code (IaC). Which service achieves this?
CloudFormation
CloudFormation allows you to provision AWS resources using Infrastructure as Code (IaC). CloudFormation provides a repeatable process for provisioning resources like instances, load balancers, and S3 buckets.
221
A customer would like to use machine learning to uncover the meaning and relationships in text from customer support incidents to ensure customers are happy after speaking to a support agent. How can they process the text from customer support incidents?
Comprehend
Comprehend is a natural language processing (NLP) service that uses machine learning to discover relationships and insights in text.
222
A company would like to implement a hybrid storage model where they connect on-premises data storage to storage in the AWS Cloud in order to move their backups to the cloud. What is the best and most efficient way to achieve this?
Storage Gateway
Storage Gateway is a hybrid storage service that allows you to connect on-premises and cloud data.
223
Which of the following statements are true about the Amazon EC2 service?
It provides virtual computing environments.
It supplies various configurations of CPU, memory, storage, and network capacity. You can use a preconfigured template called an Amazon Machine Image (AMI) to launch your instance.
It provides scalable computing capacity in the AWS cloud.
224
A customer would like the ability to send HTML formatted emails from their application for marketing campaigns. Which service should the customer consider using?
Simple Email Service (SES)
Amazon SES is an email service that allows you to send richly formatted HTML emails from your applications. It is the ideal choice for marketing campaigns or professional emails. Unlike SNS, SES sends HTML emails.
225
Which of the following AWS services gives you a personalized view of the performance and availability of the AWS services underlying your AWS resources, alerting you and providing remediation guidance when AWS is experiencing events that may affect you?
AWS Personal Health Dashboard
AWS Personal Health Dashboard gives you a personalized view of the performance and availability of the AWS services underlying your AWS resources. https://aws.amazon.com/premiumsupport/phd/
226
An EC2 instance in your VPC needs which of the following for the internet gateway to route its traffic to the internet?
Public IP address
An EC2 instance in your VPC needs a public IP address for the internet gateway to route its traffic to the internet. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
227
A company is deploying an application to an EC2 instance. They care most about achieving the lowest cost possible and don't mind if their workloads are interrupted. Which pricing option should the company consider?
Spot Instance
Spot Instances let you take advantage of unused EC2 capacity and are good for workloads that can be interrupted.
228
You have a read-heavy application workload resulting in I/O-intensive Amazon RDS database queries. Which service is most suitable to improve performance?
ElastiCache
You can use ElastiCache to store the results of often-used queries, and this will allow quicker retrieval of this data. https://aws.amazon.com/elasticache/
229
You have been tasked with developing a plan to move applications to AWS and use AWS services to house code, build, and deploy these applications. Which AWS service will allow you to host Git-based repositories?
AWS CodeCommit
CodeCommit is a source control system for private Git repositories. https://aws.amazon.com/codecommit/
230
Your design team has recommended the need to distribute incoming traffic across multiple EC2 instances and also across multiple Availability Zones. Which AWS service can accomplish this?
Elastic Load Balancing
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances. https://aws.amazon.com/elasticloadbalancing/
231
What can you do using AWS Budgets?
Track costs associated with your account and choose to be alerted when expenditures exceed your fixed target amount
According to AWS, "You can use AWS Budgets to set a monthly cost budget with a fixed target amount to track all costs associated with your account. You can choose to be alerted for both actual (after accruing) and forecasted (before accruing) spends."
232
When would you use the EC2 On-Demand pricing model?
No upfront payments required
Unpredictable workloads that cannot be interrupted
You would use the EC2 On-Demand model when you need compute capability that does not require any up front payments or long term commitments, and where you have applications with short-term or unpredictable workloads that cannot be interrupted.
233
A fantasy sports company needs to run an application for the length of a football season (5 months). They will run the application on an EC2 instance and there can be no interruption. Which purchasing option best suits this use case?
On-Demand
This is not a long enough term to make Reserved Instances the better option. Plus, the application can't be interrupted, which rules out Spot Instances.
NOT - Dedicated
Dedicated Instances provide the option to bring along existing software licenses. The scenario does not indicate a need to do this.
234
You want to monitor the cost of using your AWS services and receive alerts when the thresholds you define are met. Which of the following AWS Budgets types should you create?
Cost budget
You need to create a cost budget with AWS Budgets if you want to monitor the cost of using your AWS services. https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-managing-costs.html
235
You have a short-term computing task to complete. It is essential that this task run uninterrupted from start to finish. Which is the best EC2 option for this task?
On-Demand Instance
It is a short-term project, which rules out Reserved Instances, and it has to run uninterrupted, which rules out Spot Instances. https://aws.amazon.com/ec2/pricing/
NOT - Dedicated Host
The use of Dedicated Hosts is primarily for using existing software licenses. There is not enough information in the scenario to draw this conclusion. https://aws.amazon.com/ec2/pricing/
236
A healthcare company has nightly batch jobs that can afford to be interrupted. Which EC2 pricing model can meet this need and provide great savings by using a supply-and-demand model?
Spot Instances
EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS Cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. https://aws.amazon.com/ec2/spot/
237
A company on the Business Support plan currently runs all their applications in a single Region. They have made the decision to expand to multiple Regions. What is the process to start deploying their applications to the new Regions?
Just start deploying the applications to the new Regions.
You are free to deploy your applications to new Regions. Don't forget: CloudFormation can make the process of provisioning resources easier and repeatable.
238
Which of the following does Amazon ensure will happen when paying for AWS on an as-needed basis?
Redirecting focus to innovation and invention
Enabling the full elasticity of business operations
Reducing procurement complexity
239
Which defines one or more discrete data centers with redundant power, networking, and connectivity?
Availability Zone
An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZs are physically separated by a meaningful distance, many kilometers, from any other AZ, although all are within 100 km (60 miles) of each other. Availability Zones.
240
In AWS, you can stop or terminate instances when not in use. Which of the following concepts describes this capability?
Elasticity
Elasticity denotes the ability to increase or reduce the number or capabilities of AWS resources when needed. In this case, stopping or terminating instances means you are reducing the number of AWS resources used in your environment.
241
Which deployment types offers the advantages of cloud computing?
Private cloud
Public cloud
242
You have recently started using AWS and now need to launch a large number of instances in your VPC. You learn that this number exceeds the service limits for instances in a VPC. What can you do?
Contact AWS and request a service limit increase.
Use the Limits page in the Amazon EC2 console to request an increase in the limits for resources provided by Amazon EC2 or Amazon VPC on a per-Region basis.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html
243
An auditor is conducting an audit of your IT operations for compliance. The auditor requests visibility to logs of event history across your AWS-based employee expense system infrastructure. Which AWS service will record and provide you the information you need?
AWS CloudTrail
AWS CloudTrail provides visibility to API call activity for AWS infrastructure and other services. AWS Cloudwatch Logs might be part of a centralized logging solution, but all API event information will come from CloudTrail. AWS Systems Manager can process EC2 logs only, and AWS Compliance Manager is not a service offered by AWS. https://aws.amazon.com/cloudtrail/
244
How are permissions assigned to an IAM group?
Roles
Access is assigned using policies and roles.
Policies
Access is assigned using policies and roles.
245
How would a customer create a virtual firewall for an EC2 instance?
With a security group
Security groups act as virtual firewalls for EC2 instances.
246
You are working with IAM and need to attach policies to users, groups, and roles. Which of the following will you be attaching these policies to?
Identities
Identities are the IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.
NOT Resources
Resources are the user, group, role, policy, and identity provider objects that are stored in IAM. As with other AWS services, you can add, edit, and remove resources from IAM.
247
Which following statement is true of newly created security groups with their default rules?
New security groups allow only outbound traffic and block all incoming traffic.
By default, new security groups start with only an outbound rule to allow all traffic to leave the instances. You must add rules to enable any inbound traffic. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
248
You need to set up a virtual firewall for your EC2 instance. Which would you use?
Security group
A security group acts as a virtual firewall for your instance to protect your EC2 instance by controlling inbound and outbound traffic. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
249
Which term refers to the Identity and Access Management (IAM) resource objects that AWS uses for authentication?
Entities
IAM entities are the users (IAM users and federated users) and roles that are created and used for authentication. https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html
250
Enabling Amazon GuardDuty automatically grants the service permission to analyze continuous metadata streams from which of the following data sources?
DNS query logs
VPC Flow Logs
AWS CloudTrail logs
251
You are using your corporate directory to grant your users access to AWS services. What is this called?
Federated access
Federated access is when you use an external directory, such as your corporate one, to grant users in that directory access to AWS resources. https://aws.amazon.com/identity/federation/
252
Which service allows a user to rotate, manage, and retrieve secrets?
Secrets Manager
Secrets Manager allows you to manage and retrieve secrets (passwords or keys).
253
You have been tasked with going into the AWS company account and getting information on saving money, improving system performance and reliability, and closing security gaps. Which tool can you use to get this information?
AWS Trusted Advisor
Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices. https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
NOT AWS Inspector
Inspector works with EC2 instances to uncover and report vulnerabilities. https://aws.amazon.com/inspector/
254
Which of the following statements are true of Amazon Redshift?
It is designed for storing petabytes of data.
It is a data warehouse service.
255
Which of the following statements are true of Amazon Aurora?
It is compatible with the MySQL and PostgreSQL database engines.
It uses the AWS Management Console, AWS CLI commands, and API operations to handle routine database tasks.
You can handle routine database tasks on it using either the AWS Management Console, AWS CLI commands, or API operations. What is Amazon Aurora?
256
ElastiCache is an example of what type of AWS service?
Database
ElastiCache is an in-memory cache service used to improve database performance. This means that it saves your most common queries for quicker data retrieval rather than retrieving directly from your database. As a result, it is classified as an AWS Database service. AWS Documentation Amazon ElastiCache
257
Which of the following falls under the AWS compute services category?
Amazon Elastic Beanstalk
Amazon Elastic Beanstalk is an example of a compute service.
AWS Lambda
AWS Lambda is an example of a compute service.
258
Which of the following AWS services is an example of Platform as a Service?
AWS Elastic Beanstalk
Platform as a Service, or PaaS, enables the development, running, and management of applications on the cloud without the need to build and maintain an infrastructure. That is precisely what Elastic Beanstalk provides; it’s the ability to quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. Reference: AWS Elastic Beanstalk
259
You've been tasked with assessing your AWS infrastructure in terms of cost optimization. Which of the following AWS services would help with this task?
Trusted Advisor
AWS Trusted Advisor is an online tool that provides you with real-time guidance to help you provision your resources following AWS best practices. https://aws.amazon.com/premiumsupport/trustedadvisor/
NOT - AWS Personal Health Dashboard
Personal Health Dashboard provides alerts and guidance for AWS events that might affect your resources and applications.
260
Which of the following statements is true of AWS CloudTrail?
Log files are encrypted
With CloudTrail, you can create a trail that either applies to one Region or to all Regions.
CloudTrail delivers log files within 15 minutes of account activity.
261
Which of the following compute services is ideal if you need to run a simple website or a simple e-commerce application?
Lightsail
Lightsail is ideal for simple websites or simple e-commerce applications. https://aws.amazon.com/lightsail/
262
Which of the following describes a subnet accurately?
A segment of a VPC’s IP address range where you can place groups of isolated resources.
A virtual private cloud, or VPC, is the virtual network you create in your AWS account. When you create a VPC, you split it into smaller network segments by specifying a range of IP addresses. These segments are referred to as subnets, and this is where you launch your AWS resources. What Is Amazon VPC?.
263
Which of the following falls under AWS compute services category?
Amazon Elastic Beanstalk
Amazon Lightsail
Amazon Elastic Compute Cloud (EC2)
264
Which of the following are AWS Security, Identity, and Compliance services?
AWS Key Management Service (KMS) - It is a managed service that enables you to easily create and control the keys used for cryptographic operations.
AWS Secrets Manager - It is a secrets management service that helps you protect access to your applications, services, and IT resources.
AWS Security- It provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices.
265
Which of the following AWS services can be used to create billing alarms?
CloudWatch
The CloudWatch service is used to create billing alarms.
NOT - Cost Explorer
The Cost Explorer service is used to create custom reports that facilitate the understanding of the organization's costs and data usage.
266
Which of the following does AWS use to notify you by email when you exceed 85% of your Free Tier limits for each service?
AWS Budgets
AWS Budgets notifies you when you exceed 85% of your Free Tier limits for each service you’re using by sending you an email.
NOT AWS Cost Explorer
Cost Explorer is actually a visualizer you can use to analyze your spend, but it does not alert you on your Free Tier usage.
267
Your Development team uses 4 On-Demand EC2 instances. Your QA team has 5 Reserved Instances, only 3 of which are being used. Assuming all AWS accounts are under a single AWS Organization, how will the Development team's instances be billed?
The Dev team will be billed for 2 instances at On-Demand prices and 2 instances at the Reserved Instance price.
Since the QA team has 5 Reserved Instances and only 3 are being used, that means 2 of the Reserved Instances are free. Since both teams belong to the same AWS Organization, the pricing for the 2 unused instances would be applied to 2 of the 4 Dev On-Demand instances.
268
Which of the following statements are true of the AWS Free Tier?
Some AWS services are free for the first 12 months following the initial sign-up date to AWS.
The AWS Free Tier offers some services for free for the first 12 months after signing up for an AWS account. It also offers free trials of select AWS services for a short period. So, usage is governed by these principles.
Selected
Some AWS services come with short-term free trial offers.
The AWS Free Tier offers some services for free for the first 12 months after signing up for an AWS account. It also offers free trials of select AWS services for a short period. So, usage is governed by these principles.
269
Upon which of these measurements is AWS Lambda pricing based?
Number of requests
Duration and memory
Data transfer
